The business and culture of our digital lives, from the L.A. Times

Personal log-on info often leaks to advertisers, researcher finds

Information that could identify you often leaks from major websites to online advertisers because of the practice of embedding such data in the Web addresses shared between sites when a user logs on.

Such data leakage may involve a person's name, user name or email address and is pervasive, though not necessarily intentional, among the most popular websites, said Jonathan Mayer, a Stanford graduate student who has studied the phenomenon and released findings Tuesday.

The information is transferred because the unique Web address, or URL, created when a person logs on to a site is sent to third parties to assist them in delivering pertinent ads and other content on the page. Mayer and other privacy advocates said the leakage is a risk because one identifiable piece of information associated with a Web browser's unique sequence of numbers could allow all that browser's activity to be connected to a particular person.

For example, when a user logs on to the Home Depot website and then looks at a local ad, the person's first name and email address is sent to 13 companies, Mayer said.

"And that email and first name get associated not just with what you're doing right now, but get associated with what you've done in the past and what Web-browsing activity you might have in the future," Mayer said.

Mayer also found that trying to log on to the Wall Street Journal website and using the wrong password sent the user's email address to seven companies. Changing user settings on the video sharing site Metacafe sent the person's first name, last name, birthday, email address, physical address and phone numbers to two companies.

Mayer studied 185 of the most-visited websites that offered free individual log-ins, though he excluded the main Google, Yahoo and Facebook sites because they offered so many features that it was impractical to study them all.

He found that 61% of of the 185 sites shared a person's user name or ID with another website. Some sites shared the information with numerous third parties. Mayer created accounts for sites and then tracked where the information went. On the photo-sharing site Photobucket, his study found that a username was sent to 31 other websites.

Asked how consumers could avoid such data leakage, Mayer said, "The best thing they can do is to block advertising, because the moment content is loaded on the browser there is a risk of tracking."

Online privacy advocates said the problem of data leakage shows the need for a do-not-track mechanism, similar to the popular do-not-call list for telemarketing. Such a mechanism would allow consumers to opt-out of online tracking, which is used to deliver advertising tailored to a person's behavior.